nGuard

Call us p. 704.583.4088
Client PortalSpeak to An Expert

Breach

OpenSSL Downgrades Panic Bug After Days of Anxiety

Initial Report
On October 27th it was reported by Dark Reading that organizations have five days to get ready for what the OpenSSL Project defined as a “serious” vulnerability impacting versions 3.0 and up of the widely used cryptographic library for encrypting digital communications. They caution that enterprises would rush to remedy the problem as soon as possible if this vulnerability turns out to be another Heartbleed flaw, which was the most recent serious vulnerability to affect OpenSSL.

Favorable News
We now have some good news after five days since the initial revelations of an internet-reshaping major flaw in OpenSSL. Instead of the critical rating that initially alarmed the online community, CVE-2022-37786 and CVE-2022-3602 have been published as high-rated vulnerabilities. According to OpenSSL:

“A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution.”

As a result, the vulnerability is considerably harder to exploit than what was initially suggested.

Remediation
The two CVE reports published on November 1st indicate this issue as being present in OpenSSL versions 3.0.0 to 3.0.6. Despite the fact that these flaws are not as severe as anticipated, it is still advised that all businesses identify their OpenSSL implementations and update to version 3.0.7 right away. At this point, according to OpenSSL, there is no evidence that this vulnerability has been exploited in the wild and no operational exploit that could result in code execution. A list of notable operating systems and application runtimes which are packaged with a vulnerable version of OpenSSL has been established by the Computer Emergency Response Team (CERT) for the Netherlands.

What Now?
nGuard is ready to assist clients in detecting and mitigating OpenSSL vulnerabilities. nGuard can identify whether or not a vulnerable version of OpenSSL is present in your environment by performing vulnerability scans and penetration testing against both external and internal facing services. Organizations may feel at ease knowing that OpenSSL versions that are insecure are being fixed in their environments by carrying out these scans on a frequent basis.

TWiC | Fortinet PoC, US Airport Sites Go Offline, CISA Warns of Industrial Appliance Flaws, & Windows 11 Phishing Protection

Over the past few weeks there have been several hot topics and time sensitive advisories released. In this edition of This Week in Cybersecurity, nGuard will highlight the Fortinet proof-of-concept (PoC) that was released; Russian-speaking hackers taking down US Airport websites; Windows 11 offering automatic phishing protection; and CISA warning of critical flaws in some industrial appliances.

Fortinet PoC Released
A proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager. A successful exploitation of the shortcoming is tantamount to granting complete access “to do just about anything” on the affected system. Fortinet issued an advisory urging customers to upgrade affected appliances to the latest version as soon as possible and CISA added this to their Known Exploited Vulnerabilities (KEV) Catalog. 12 unique IP addresses have accounted for most responsibility in weaponizing CVE-2022-40684 as of October 13, 2022. A majority of them are located in Germany, followed by the U.S., Brazil, China and France. nGuard covered this in more detail in a Security Advisory last week. Conducting ongoing penetration testing and vulnerability management can alert you to these types of vulnerabilities being present in your environment.

US Airport Sites Taken Down by Russian-Speaking Attackers
On Monday October 10th, more than a dozen public-facing airport websites, including those for some of the nation’s largest airports, appeared inaccessible, and Russian-speaking hackers claimed responsibility. The attack was carried out by a group known as Killnet, who support the Kremlin but are not thought to be government hackers. Killnet favors a type of attack known as a distributed denial of service (DDoS). Two of the sites that were affected by this attack were Atlanta’s Hartsfield-Jackson International Airport and the Los Angeles International Airport websites. Fortunately, there did not seem to be an impact to air travel itself but may have caused inconveniences for individuals traveling during the time access to those sites was attempted.

Windows 11 Offers Automatic Phishing Protection
Enhanced phishing protection now comes prebuilt into the Windows 11 operating system. This protection can automatically detect when users type their password into any app or site that is known to be dangerous. Admins can know exactly when a password has been stolen and can be equipped to better protect against such attacks. According to Microsoft, “When Windows 11 protects against one phishing attack, that threat intelligence cascades to protect other Windows users interacting with other apps and sites that are experiencing the same attack.” A blocking dialog warning is displayed prompting users to change their password if they type it into a phishing site in any Chromium browser or into an application connecting to a phishing site. If users try to store their password locally, like in Notepad or in any Microsoft 365 app, Windows 11 warns them that this is an unsafe practice and urges them to delete it from the file. To help train and test your employees on their security awareness, nGuard offers custom, tailored Security Awareness Training and social engineering.

CISA Publishes Two Advisories Regarding Industrial Appliances
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published two Industrial Control Systems advisories pertaining to severe flaws in Advantech R-SeeNet and Hitachi Energy APM Edge appliances. The list of issues, which affect R-SeeNet Versions 2.4.17 and prior are:

Patches have been made available in version R-SeeNet version 2.4.21 released on September 30, 2022.

These alerts come less than a week after CISA published 25 ICS advisories on October 13, 2022, spanning several vulnerabilities across devices from Siemens, Hitachi Energy, and Mitsubishi Electric.

nGuard has a wide array of experience assessing critical infrastructure, SCADA, and Industrial Control Systems (ICS) and can help you secure yours. Conducting annual penetration testing, having a proper Incident Response Plan, and ensuring you have the proper logging, alerting, and correlation can help you stay ahead of the attackers.

URGENT | Fortinet Authentication Bypass Vulnerability

On October 10, 2022, Fortinet, Inc released a new advisory for CVE-2022-40684 which affects the FortiOS, FortiProxy and FortiSwitchManager products.

Each of these products are vulnerable to an authentication bypass vulnerability. This vulnerability could allow an attacker to perform unauthenticated actions on the target system.  These actions include, but are not limited to:

  • Modifying admin user SSH keys.
  • Adding new local users
  • Updating network configurations to reroute traffic
  • Initiating packet captures to capture sensitive information

Publicly available exploit code is now starting to become available.

Affected Products

  • FortiOS version 7.2.0 through 7.2.1
  • FortiOS version 7.0.0 through 7.0.6
  • FortiProxy version 7.2.0
  • FortiProxy version 7.0.0 through 7.0.6
  • FortiSwitchManager version 7.2.0
  • FortiSwitchManager version 7.0.0

Solutions

  • Upgrade to FortiOS version 7.2.2 or above
  • Upgrade to FortiOS version 7.0.7 or above
  • Upgrade to FortiProxy version 7.2.1 or above
  • Upgrade to FortiProxy version 7.0.7 or above
  • Upgrade to FortiSwitchManager version 7.2.1 or above

Read more in:

Ongoing penetration testing and vulnerability management can alert you to these types of vulnerabilities being present in your environment. nGuard account executives are standing by to discuss solutions that elevate the overall security posture of your organization and ensure you are ready to handle vulnerabilities such as the ones described above.

Microsoft Exchange Zero-Days Mitigated, Then Bypassed!

Earlier this month two new zero-day exploits, CVE-2022-41040 and CVE-2022-41082, were released and code named ProxyNotShell due to similarities to another set of flaws called ProxyShell. nGuard covered one of the more recent Exchange zero-day vulnerabilities last year in another security advisory.

CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability with 8.8 severity score out of 10. CVE-2022-41082 has been rated a 6.3 severity score out of 10 and allows Remote Code Execution (RCE) when PowerShell can be access by a malicious attacker. These vulnerabilities affect Microsoft Exchange Server 2013, 2016, and 2019 for on-premises deployments. Microsoft stated, “While these vulnerabilities require authentication, the authentication needed for exploitation can be that of a standard user. Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy.”

If an attacker can successfully exploit these vulnerabilities, they can compromise the victim’s system, obtain a web shell and install it, then attempt to pivot to other hosts on the network for further compromise. Microsoft said, with medium confidence, they can attribute many of the already carried out attacks to state-sponsored actors. These state-sponsored actors installed the China Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration.

Microsoft has yet to release a patch for these vulnerabilities but did release workarounds for these two zero-days. However, shortly after their release it was discovered the recommended fix could be easily circumvented. This caused Microsoft to rewrite the mitigation to take this into account:

  1. Open IIS Manager
  2. Select Default Web Site
  3. In the Feature View, click URL Rewrite
  4. In the Actions pane on the right-hand side, click Add Rule(s)…
  5. Select Request Blocking and click OK
  6. Add the string “.*autodiscover\.json.*PowerShell.*” (excluding quotes)
  7. Select Regular Expression under Using
  8. Select Abort Request under How to block and then click OK
  9. Expand the rule and select the rule with the pattern: .*autodiscover\.json.*Powershell.* and click Edit under Conditions
  10. Change the Condition input from {URL} to {REQUEST_URI}

Microsoft also released a PowerShell script to apply the mitigation.

Outside of the Microsoft mitigations, you can protect your organization by:

  • Updating firewall rules, IPS, IDS systems to block known IP addresses targeting this vulnerability. You can download an updated list of malicious IPs and manually enter them in your perimeter protection devices.
  • Implementing multi-factor authentication (MFA) and training users not to accept unwanted MFA prompts.
  • Disabling Exchange Legacy Authentication.
  • Having a SIEM to help respond to ongoing threats to your environments based on correlating events from logs.
  • Ensuring you have a robust vulnerability management program in place to stay on top of the latest threats.
  • Conducting penetration testing on a frequent basis to ensure that attackers have limited or no path to pivot throughout your networks.
  • Either having an Incident Response retainer in place or having a pre-selected vendor to call should your organization fall victim to zero-days like this or any other attack.

TWiC | Lapsus$ Ransomware, LastPass Hack & MS ZeroDay

The past couple of weeks have been busy ones for the world of cybersecurity. Multiple companies have disclosed serious hacks that have led to breaches of customer data and overall system availability. In this week’s security advisory, nGuard will detail some of these incidents and their impact on the cybersecurity landscape.

Cisco Data Breach Attributed to Lapsus$ Ransomware Group

The Lapsus$ crime gang is back at it again with an attack on the networking giant, Cisco. About a month ago, Cisco had disclosed that its systems were breached. A social engineering attack led adversaries on a pathway to overtaking an employee’s Google account. Saved credentials were then obtained from the browser and voice communications were utilized to trick the unsuspecting employee into accepting a multi-factor authentication push notification. Cisco believes the end goal of the attacker was to deploy ransomware on the network after gaining access to multiple systems. Cisco is reporting that attempts to deploy ransomware were unsuccessful.

LastPass Says Hackers Had Internal Access For Four Days

Lastpass reported a breach back in August and are now releasing some more details about the compromise. They are now reporting that an attacker had internal access to the company systems for four days before they were detected. Lastpass worked with a cybersecurity firm to investigate the incident and found that no customer data or password vaults were accessed during this time. LastPass maintains that your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass. The attacker was however able to access a developer endpoint and poke around the development environments.

Microsoft Patches a New Zero-Day Affecting All Versions of Windows

Microsoft is patching another zero-day vulnerability affecting all supported versions of Windows. This zero-day is reported as being used in real-world attacks. CVE-2022-37969 is a privilege elevation flaw in the Windows Common Log File System Driver. This is utilized for data and event logging. Once a system is compromised, this vulnerability can be used to escalate user privileges to the highest level, SYSTEM. 4 different security firms reported this vulnerability to Microsoft which makes them believe this could be widely used in real-world scenarios. They recommend patching immediately.

nGuard closely monitors trends in the world of cybersecurity and applies those trends to assessment activities and managed security services. Having penetration testing conducted periodically against network assets, web applications, and other critical infrastructure can prevent data breaches before they happen. Putting your employees through social engineering campaigns to test their security readiness can boost awareness. Having a security first mindset is essential in protecting the valuable data of organizations.  

Vulnerability Exploits Overtake Phishing as Initial Attack Vector

Most security professionals will advise the number one way attackers gain an initial foothold on a network is, and continues to be, phishing and social engineering attacks. Palo Alto recently released their 2022 Incident Response Report which confirmed what most would say is true. At a combined 42%, phishing and social engineering make up almost half of all means of initial access.

Source: 2022 Incident Response Report

The second most common way according to the above chart from Palo Alto is software vulnerabilities. However, in the first week of September, Kaspersky released its 2021 Incident Response Overview and it told a different story. 53.6% of the initial attack vectors they responded to were exploits of public-facing applications.

Source: 2021 Incident Response Overview

2021 had no shortage of time sensitive critical vulnerabilities including Log4j, Microsoft Exchange ProxyLogon, and three other CVEs related to the ProxyLogon vulnerabilities that were released in March of 2021. When these vulnerabilities are made publicly available it is only a matter of minutes before publicly facing systems are being scanned for vulnerable targets. Within hours, proof of concept exploits become available leading to an extremely high rate of organizations falling for such attacks.

In recent years, organizations have prioritized security awareness training and conducted social engineering and phishing training. But have those same organizations made it a priority to have a vulnerability management program in place?

How can organizations stay ahead of these attack trends? Start by building out a mature security program that includes annual penetration testing, ongoing vulnerability scanning, and a properly configured SIEM to alert on network anomalies. If you suspect a breach, identify a firm capable of responding to security incidents and secure an incident response retainer. Lastly, have an expert conduct a strategic security assessment to compare your organization’s security program to a known security standard like the Center for Internet Security Critical Security Controls.